<p>Amazon SageMaker is a managed machine learning service in a hosted production-ready environment. To train machine learning models, SageMaker
instances can process potentially sensitive data, such as personal information that should not be stored unencrypted. In the event that adversaries
physically access the storage media, they cannot decrypt encrypted data.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> The instance contains sensitive data that could cause harm when leaked. </li>
  <li> There are compliance requirements for the service to store data encrypted. </li>
</ul>
<p>There is a risk if you answered yes to any of those questions.</p>
<h2>Recommended Secure Coding Practices</h2>
<p>It’s recommended to encrypt SageMaker notebook instances that contain sensitive information. Encryption and decryption are handled transparently by
SageMaker, so no further modifications to the application are necessary.</p>
<h2>Sensitive Code Example</h2>
<p>For <a
href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sagemaker.CfnNotebookInstance.html"><code>aws-cdk-lib.aws-sagemaker.CfnNotebookInstance</code></a></p>
<pre>
import { CfnNotebookInstance } from 'aws-cdk-lib/aws-sagemaker';

new CfnNotebookInstance(this, 'example', {
      instanceType: 'instanceType',
      roleArn: 'roleArn'
}); // Sensitive
</pre>
<h2>Compliant Solution</h2>
<p>For <a
href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sagemaker.CfnNotebookInstance.html"><code>aws-cdk-lib.aws-sagemaker.CfnNotebookInstance</code></a></p>
<pre>
import { CfnNotebookInstance } from 'aws-cdk-lib/aws-sagemaker';

const encryptionKey = new Key(this, 'example', {
    enableKeyRotation: true,
});
new CfnNotebookInstance(this, 'example', {
    instanceType: 'instanceType',
    roleArn: 'roleArn',
    kmsKeyId: encryptionKey.keyId
});
</pre>
<h2>See</h2>
<ul>
  <li> <a href="https://docs.aws.amazon.com/sagemaker/latest/dg/encryption-at-rest.html">Protect Data at Rest Using Encryption</a> </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/311">CWE-311 - Missing Encryption of Sensitive Data</a> </li>
  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222588">Application Security and
  Development: V-222588</a> - The application must implement approved cryptographic mechanisms to prevent unauthorized modification of information at
  rest. </li>
</ul>
